The Biometric Trap: Why Dispensary ID Scanners Are Triggering Devastating Privacy Lawsuits

CannaSecure

CannaSecure

12 min read
The Biometric Trap: Why Dispensary ID Scanners Are Triggering Devastating Privacy Lawsuits

Every licensed cannabis dispensary in America uses an ID scanner. Most operators think of it as a simple age verification tool — point, scan, done. But depending on what that scanner collects, stores, and transmits, it may be silently building a biometric database of every customer who has ever walked through your door. And in states with biometric privacy laws, that database is a class-action lawsuit waiting to be filed.

The ID Scanner That Became a Liability

Walk into any licensed dispensary in America and the first thing that happens is age verification. A budtender takes your ID, slides it under a scanner, and within seconds your age is confirmed and you're cleared to shop. It's routine, it's fast, and it's legally required in every regulated cannabis market in the country.

What most dispensary owners and operators don't know — and what most ID scanner vendors have historically not volunteered — is what happens to the data those scanners collect after the age is confirmed. The answer depends entirely on which scanner your dispensary is using, how it's configured, what your vendor's data retention settings are, and whether any biometric analysis is happening underneath the surface of what appears to be a simple document scan.

In Illinois, a lawsuit against PharmaCann — one of the largest multi-state cannabis operators in the country — and its ID scanner vendor TokenWorks alleged exactly this: that visitors to PharmaCann dispensaries had their biometric data captured, collected, stored, and disseminated without their knowledge or consent. The plaintiffs alleged that TokenWorks' IDentiFake scanners, marketed as identity verification tools, were also collecting biometric identifiers from customers — and that TokenWorks was profiting from PharmaCann's use of those scanners. The case put both the dispensary operator and the technology vendor in the same legal crosshairs simultaneously.​

This is not an isolated incident. It is the leading edge of a biometric privacy litigation wave that has already cost American businesses hundreds of millions of dollars and that is moving aggressively into cannabis retail in 2026.

Biometric Tracker - Privacy & Security Analysis
Track and understand biometric data collection methods across various categories including facial recognition, voice biometrics, DNA verification, and more.
Privacy & Security Analysis

Understanding BIPA: The Law With Catastrophic Arithmetic

Illinois' Biometric Information Privacy Act (BIPA), enacted in 2008, is the most powerful consumer biometric privacy law in the United States — and the one most likely to affect cannabis dispensaries, given that Illinois is home to one of the largest and most competitive regulated cannabis markets in the country.

BIPA defines biometric identifiers as fingerprints, voiceprints, facial geometry data, retina and iris scans, and hand geometry. Critically, and this is the provision that trips up ID scanner deployments: photographs alone are not covered by BIPA, but if software analyzes a photograph to extract, create, or store a mathematical representation of facial features — a "faceprint" or facial geometry template — BIPA applies. Most modern ID scanners don't just capture an image of your face. They run that image through facial recognition algorithms that generate mathematical facial geometry templates for identity verification accuracy. Those templates are biometric identifiers under BIPA.​

Under BIPA, any business collecting biometric identifiers must:​

  • Inform the subject in writing that biometric data is being collected and stored
  • Explain the specific purpose for which it's being collected
  • State how long the data will be retained
  • Obtain a written release — affirmative consent — before any collection occurs
  • Never sell, lease, trade, or profit from any individual's biometric data
  • Protect biometric data with the same or greater security standards as other confidential information
  • Destroy biometric data within three years or when the purpose for collection is fulfilled, whichever comes first

The penalty structure is what made BIPA the most feared privacy law in America before its 2024 amendments. Original BIPA allowed:

  • $1,000 per negligent violation
  • $3,000 per intentional or reckless violation
  • Attorney's fees and litigation costs added on top

The arithmetic became truly catastrophic when the Illinois Supreme Court ruled in Cothron v. White Castle (2023) that every individual biometric scan constitutes a separate violation. White Castle faced a potential $17 billion in liability across approximately 9,500 employees whose fingerprints were scanned repeatedly to clock in and out. In the first BIPA jury trial, BNSF Railway was found liable for $228 million — calculated at $5,000 per violation across 45,600 separate fingerprint scans.​

For a cannabis dispensary scanning IDs — and potentially capturing facial geometry — at every single customer visit, across thousands of visits per week, the "per scan" interpretation created exposure that could functionally exceed the enterprise value of the business itself.

The 2024 BIPA Amendments: Relief Without Absolution

Illinois responded to the catastrophic per-scan liability math with SB2979, signed in August 2024, which amended BIPA to cap exposure at one violation per person per BIPA section — rather than one violation per scan. This amendment significantly reduced the existential exposure for businesses facing large-scale BIPA claims, and Illinois courts dismissed at least one high-profile biometric privacy lawsuit against a cannabis business in 2025 in light of the amended statute.

However, cannabis operators who interpret the 2024 amendments as a clean slate are making a dangerous mistake. The core BIPA requirements remain entirely intact:​

  • Consumer notice before collection is still required
  • Written informed consent is still required
  • Data retention policies are still required
  • Secure data handling standards are still required
  • $1,000 per person per violated provision for negligent violations still applies
  • $5,000 per person per violated provision for intentional or reckless violations still applies

For a dispensary that has been scanning IDs without BIPA-compliant consent notices since legalization in 2020 — and has enrolled hundreds of thousands of customers into a loyalty program whose enrollment app also requested camera permissions — the per-person exposure across a multi-year period is still potentially enormous. BIPA class actions remain a "serious financial threat" even after the amendment, particularly for businesses that cannot demonstrate compliant consent workflows. Biometric class action settlements totaled $136.6 million in 2025 even after the amendments reduced their frequency — and that decline was 34% from 2024's $207 million, meaning biometric settlements were far larger before reform.

The Multi-State Biometric Landscape: It's Not Just Illinois

Illinois may be the highest-profile biometric privacy battleground, but it is not the only one. A growing patchwork of state biometric laws creates a multi-jurisdiction exposure for cannabis MSOs operating across state lines.

Texas — Capture or Use of Biometric Identifier Act (CUBI)
Texas enacted its biometric privacy law in 2009, requiring notice and consent before collecting biometric identifiers and mandating destruction within a "reasonable time" after the purpose for collection is fulfilled. Unlike BIPA, CUBI is enforced by the Texas Attorney General rather than through private litigation — meaning there's no private right of action for individual consumers. However, Texas has been actively expanding its privacy enforcement posture, and the AG's office has shown increasing willingness to investigate technology-related privacy complaints, particularly following high-profile cases. For any MSO with Texas locations, CUBI compliance is a direct AG enforcement risk.

Washington State
Washington's biometric privacy law, enacted in 2017, similarly prohibits enrolling biometric identifiers without notice and consent and requires protections against unauthorized use. Like Texas, enforcement is through the state attorney general rather than private litigation. However, Washington's My Health My Data Act (MHMD) creates a private right of action for health data violations — and given that cannabis purchase data tied to biometric identity verification can constitute health information under MHMD's broad definitions, the MHMD creates a back-door private litigation pathway for biometric violations in cannabis retail specifically.

New York City
New York City's Local Law 3 requires commercial establishments that collect biometric identifier information — including facial recognition and fingerprint data — to post clear and conspicuous signage notifying customers that biometric data is being collected. Violations carry fines of $500 for each day a business fails to post the required notice, and $5,000 for each intentional sale or sharing of biometric data. Any cannabis dispensary operating in New York City using facial recognition at the door without posted signage is in ongoing daily violation.​

California
California's CCPA/CPRA classifies biometric information as sensitive personal information requiring opt-in consent before collection. This applies directly to dispensaries using ID scanners that collect biometric data. The California Privacy Protection Agency (CPPA) has been increasingly aggressive in its enforcement posture, and biometric data collected without proper CPRA opt-in consent procedures is a documented CPPA enforcement priority for 2026.​

The Cannabis-Specific Biometric Risk Stack

What makes biometric privacy exposure particularly acute for cannabis operators is the intersection of mandatory ID scanning requirements and biometric privacy restrictions — two directly conflicting legal obligations that create a compliance paradox.

State cannabis regulations in virtually every market require dispensaries to verify customer age and identity before every transaction. Some states mandate ID scanning specifically. Illinois requires digital ID verification. This creates a scenario where failing to scan IDs is a cannabis licensing violation, while scanning IDs in a biometrically-enabled way without proper consent is a BIPA violation. Operators are caught between two sets of legal requirements pointing in opposite directions.

The resolution — and it exists — lies in two distinctions that every dispensary must understand:

Distinction 1: Age verification vs. biometric collection
A scanner that reads the text and data on an ID document (name, date of birth, expiration date, ID number) without analyzing facial geometry is performing age verification, not biometric collection. BIPA is triggered only when the system extracts or analyzes unique physiological characteristics — facial geometry templates, fingerprint maps, iris patterns. A purely document-reading scanner does not trigger BIPA. A facial recognition system that uses the photo on the ID to create a faceprint template does.​

Distinction 2: Scan-and-discard vs. scan-and-retain
Several states explicitly require that ID scan data be immediately purged after age verification is confirmed. Illinois case law and BIPA regulations require that biometric data be destroyed when the purpose for collection is fulfilled. Dispensaries whose scanners are configured to retain scanned ID images or biometric templates beyond the point of age confirmation are building a historical database that has no legitimate legal purpose and exponential legal liability.​

State-by-state ID retention requirements vary dramatically:​

  • Illinois: Parsed data must be flushed immediately after determining eligibility
  • Arizona: Information may not be retained after verifying age; no secondary use permitted
  • Montana: PII from ID scans retained maximum 180 days; no third-party transfer
  • Colorado: May not acquire or record information beyond what a standard retail transaction requires

Facial Recognition at the Door: The Emerging Frontier

Beyond ID scanners, an increasing number of cannabis dispensaries have deployed or explored facial recognition systems at entry points — technology that uses cameras to verify returning customer identity, flag banned individuals, detect known shoplifters, or enable a frictionless check-in for loyalty program members.​

This is the most legally dangerous biometric deployment in cannabis retail. Facial recognition systems at dispensary entrances capture facial geometry data from every person who enters — including individuals who never consented to biometric collection, who are simply curious passersby, or who are non-purchasing visitors accompanying a patient.​

The legal exposure is comprehensive. Under BIPA, every person whose facial geometry is captured and processed without written consent is a potential plaintiff. Under the MHMD in Washington, capturing facial geometry data from individuals entering a cannabis facility and using it to build behavioral profiles or target advertising is a direct statutory violation with a private right of action. Under CCPA/CPRA in California, facial geometry is sensitive personal information requiring opt-in consent before collection — not opt-out, not implied consent from entering a store.

VICE documented as early as 2024 that cannabis shops were deploying facial recognition technology and that "data collected could violate federal health privacy laws such as HIPAA" — and that data breaches of such systems would create catastrophic exposure. The intersection of facial recognition, cannabis purchase history, and verified identity creates exactly the kind of sensitive health-behavioral data profile that is most attractive to bad actors and most protected by the law.​

The Vendor Accountability Gap

One of the most important — and most overlooked — dimensions of dispensary biometric liability is vendor accountability. In the PharmaCann/TokenWorks case, both the dispensary and the ID scanner vendor were named as defendants. The plaintiffs' theory was that the vendor was profiting from deploying its technology at the dispensary without consent infrastructure — and the dispensary was liable for allowing that deployment to occur on its premises.​

This dual-liability theory is the standard BIPA litigation template. The vendor says "our technology can be configured to comply." The dispensary says "we trusted the vendor's default settings." The court says "you are both responsible." The settlement costs are shared — but both parties go through years of litigation to get there.

For cannabis operators, this means that selecting an ID scanning or facial recognition vendor is not just a technology procurement decision. It is a legal liability decision. Every vendor in your ID verification stack must be evaluated for:

  • Does the system collect biometric data (facial geometry templates, fingerprint maps) or only document text data?
  • What are the default data retention settings, and how are they configured for your specific deployment?
  • Is the vendor's consent architecture BIPA-compliant — does it support the written notice and affirmative consent workflow required by Illinois law?
  • Where is collected data stored, and who has access to it beyond your dispensary?
  • What is the vendor's breach notification commitment, and have they ever suffered a breach affecting cannabis operator clients?
  • Does the vendor carry appropriate liability insurance for biometric privacy violations, and will they indemnify your dispensary in litigation?

If your ID scanner vendor cannot answer these questions definitively and in writing, treat that as a red flag that requires immediate escalation.

Building a BIPA-Compliant ID Verification Program

The operational path to biometric compliance for cannabis dispensaries is achievable without sacrificing age verification effectiveness. Here's the framework:

Step 1: Audit Your Current Scanner Technology
Contact your ID scanner vendor and request documentation on exactly what data their system collects, processes, retains, and transmits. Ask specifically: does the system create, extract, or store facial geometry templates or any other biometric identifier as defined by BIPA? Get the answer in writing.

Step 2: Configure Scan-and-Discard Settings
Most ID scanning platforms offer configurable data retention settings. If your scanner is currently storing scanned ID images or any associated biometric data, reconfigure it to purge all data immediately after age verification is confirmed. Document this configuration change with a screenshot and timestamp.​

Step 3: Implement Written Consent for Biometric Collection
If your dispensary uses any system that captures facial geometry, fingerprints, or other biometric identifiers — including loyalty app facial check-in, facial recognition access control, or any ID scanner with biometric analysis capability — implement a BIPA-compliant written consent flow before any collection occurs. Consent must be:​

  • In writing, not verbal
  • Signed or digitally acknowledged by the individual before collection begins
  • Specific about what data is being collected, the purpose, and the retention period
  • Stored in a retrievable, timestamped record

Step 4: Post NYC-Required Biometric Signage
For any New York City location using biometric data collection of any kind, post the required signage at every entrance point where collection occurs. The signage must be clear, conspicuous, and describe what biometric data is being collected.​

Step 5: Update Privacy Notices Across All Properties
Your dispensary's Privacy Policy, online menu, loyalty program enrollment flow, and any in-store posted privacy notice must disclose all biometric data collection practices specifically — what is collected, why, how long it is retained, and whether it is shared with any third parties.​

Step 6: Execute Vendor Data Processing Agreements
Every ID scanner vendor, facial recognition provider, and loyalty platform with camera access must sign a Data Processing Agreement that explicitly restricts their use of biometric data, commits them to BIPA-equivalent data handling standards, and includes a 24-hour breach notification obligation.​

The License-Compliance Paradox: Resolved

The apparent contradiction between mandatory ID scanning requirements and biometric privacy compliance resolves cleanly once you understand the actual legal obligations. You must verify age and identity — but you do not have to do it with biometric technology. Document-reading scanners that verify the authenticity of ID cards, confirm date of birth, and check for expired or fraudulent credentials without extracting facial geometry templates are fully compliant with cannabis licensing requirements and do not trigger BIPA.​

If you are using biometric technology specifically — facial recognition for loyalty check-in, fingerprint scanners for employee access, or any system generating biometric templates — you need documented, written consent before each individual's first interaction with that system. That is the non-negotiable legal requirement in every state with biometric privacy protections, and it is the only reliable defense against class-action litigation.

The technology vendors who served the cannabis industry's rapid scaling phase defaulted to maximum data collection because data was valuable and nobody was enforcing the limits. In 2026, with BIPA still generating nine-figure settlement totals even after amendments, with California's CPPA expanding biometric enforcement, and with the MHMD creating private rights of action for health-adjacent biometric data in Washington, the cost of those default settings has never been higher.​

The Bottom Line

Your ID scanner is not just a compliance tool. It may be a liability generator that has been silently building a biometric database of your entire customer population since the day you opened. The lawsuit against PharmaCann and TokenWorks is not a cautionary tale from a hypothetical future — it was filed in Cook County circuit court against one of the country's largest cannabis operators. The BIPA class actions that generated $136.6 million in settlements in 2025 alone involved the same technology deployed in the same way that thousands of cannabis dispensaries are operating right now.

The fix is not complicated or expensive. It is a vendor audit, a configuration review, a consent flow update, and a Data Processing Agreement. The cost of doing it is measured in hours and legal fees. The cost of not doing it is measured in class-action settlements, regulatory investigations, and license reviews.

cannasecure.tech helps cannabis dispensaries conduct biometric technology audits, build BIPA-compliant consent infrastructure, and execute vendor security assessments that protect your business from the biometric privacy litigation wave hitting cannabis retail in 2026. Contact us for a biometric compliance assessment.

Read more

The Complete Dispensary Security Master Guide: Cybersecurity, Privacy, InfoSec & Physical Security for Cannabis Operators in 2026

The Complete Dispensary Security Master Guide: Cybersecurity, Privacy, InfoSec & Physical Security for Cannabis Operators in 2026

🔒 MEMBER EXCLUSIVE — This guide is the definitive security reference for licensed cannabis dispensaries. Bookmark it. Share it with your operations and compliance teams. Use the checklists as living documents in your security program. How to Use This Guide Security at a licensed cannabis dispensary operates across four interconnected domains — Physical

lock-1 By CannaSecure
The Invisible Attack Surface: Why METRC, BioTrack, and Seed-to-Sale Platforms Are Cannabis's Most Dangerous Compliance Vulnerability

The Invisible Attack Surface: Why METRC, BioTrack, and Seed-to-Sale Platforms Are Cannabis's Most Dangerous Compliance Vulnerability

Every licensed cannabis operator in America is legally required to connect their business to a government-mandated tracking system. Most of them have never thought about what happens when that system — or their connection to it — gets attacked. In 2026, with federal cybersecurity oversight arriving alongside Schedule III reclassification, they'

By CannaSecure